Archive
Highlighted

How can I extract different arrays from a field to visualise?

New Member

Hi,

I have a text file that contains data which looks like

"x:[-0.01,0.04,0.9],y:[0.00045,0.00035,0.03],z:[0.00115,0.0012,0.001]"

Now my idea was to visualise x, y and z in a nice way(I am using the names x, y, z just for example's sake, they would be different depending on data). I got the data into Splunk and all of the data appears in field1 . I can't understand/figure out a way to get three fields from this field1, by three fields I mean x, y and z with their values respectively. I tried "extract field" but couldn't manage the way I needed.
To visualise this data in a nice representation, I must extract them from field1 but I am really clueless. Would some one please help, and guide me in the right direction. I haven't worked with Splunk before and thats why I don't have much knowledge about it yet.
I appreciate any help, thanks.

Tags (3)
0 Karma
Highlighted

Re: How can I extract different arrays from a field to visualise?

SplunkTrust
SplunkTrust

Hey annie22,

have you tried the | rex command yet?
Other than that please give us more sample data + an expected output as your explanation doesn't tell me how it should look like in the end.

Thanks,
pyro_wood

Highlighted

Re: How can I extract different arrays from a field to visualise?

New Member

Hi pyro_wood,
Thank you for your comment, I haven't looked into rex, didn't know about it, going to look it up.
Here is the sample file data that I have currently:

"x:[-0.014800000000000002,-0.014871794871794873,-0.015184210526315788,-0.015081081081081082,-0.01586111111111111,-0.015457142857142862,-0.015264705882352944,-0.015000000000000003,-0.014374999999999999,-0.013387096774193549,-0.010966666666666668,-0.009517241379310346,-0.007285714285714286,-0.010481481481481482,-0.00830769230769231,-0.006160000000000001,-0.006875000000000002,0.0015217391304347839,-0.0039545454545454545,-0.003809523809523809,-0.0029000000000000002,-0.0038947368421052638,-0.010555555555555556,0.006411764705882354,0.002125,-0.007933333333333332,-0.009142857142857144,-0.006153846153846153,-0.00025,-0.00009090909090909092,-0.0001,-0.00022222222222222231,0.0008749999999999999,0.0012857142857142856,-0.0003333333333333335,0.0012000000000000001,0.00075,0.0016666666666666668,0.0035,0],y:[0.00045000000000000004,0.00035897435897436035,0.0001578947368421065,0.000054054054054055205,-0.00027777777777777696,-0.00034285714285714215,0.000058823529411765954,0.00018181818181818324,-0.000031249999999998754,-0.00016129032258064402,0.0001666666666666682,-0.0005517241379310337,0.0008571428571428573,-0.0023333333333333327,0.0027692307692307712,0.001720000000000001,0.001875000000000001,0.00830434782608696,0.007000000000000001,0.005476190476190476,0.0048000000000000004,0.003473684210526318,-0.0005555555555555539,-0.005529411764705882,-0.01425,-0.009200000000000002,-0.005428571428571429,-0.0007692307692307691,-0.0013333333333333333,-0.0016363636363636365,-0.0018000000000000002,-0.002111111111111111,-0.0025,-0.002285714285714286,-0.0036666666666666666,-0.002,-0.00275,-0.0013333333333333333,0,0],z:[0.00115,0.0012307692307692308,0.0011578947368421052,0.0014054054054054058,0.001444444444444445,0.0012000000000000003,0.001411764705882353,0.001272727272727273,0.0010625,0.001064516129032258,0.0007000000000000009,0.0029999999999999996,0.003428571428571429,0.011333333333333332,0.00030769230769230835,-0.0002799999999999999,-0.008208333333333331,-0.008304347826086954,-0.005954545454545452,-0.00461904761904762,-0.00385,-0.00268421052631579,-0.0025,0.003764705882352942,0.010500000000000002,0.010000000000000002,0.006285714285714286,0.00023076923076923063,0.0016666666666666663,0.0008181818181818183,0.0009000000000000001,0.0008888888888888889,0.000625,0.00028571428571428574,0,0.0002,0.0005,0,-0.001,0]"

Sorry for not being so clear, I will try to explain, having this data in mind, when Splunk reads it from file, it shows all of it in 1 field, my problem is when I click on visualisation, I want in statistics table three columns with names x, y and z, and their data under them. I am not sure if that is even possible in Splunk.

for the sake of a smaller example if the data is:

 "x:[1,4,9,4],y:[45,35,3,0],z:[115,12,1,9]"

I want to see in statistics table as an expected result some thing like this:

alt text

Thank you!!!

0 Karma
Highlighted

Re: How can I extract different arrays from a field to visualise?

New Member

Oops sorry, my previous comment doesn't show the image link where I had expected result, I think because I don't have enough points so it won't let me use any hyperlink. So I will try explaining instead, I would like as expected result a table with in this case three columns, x, y and z and then their values under them. Sorry for the inconvenience.

0 Karma
Highlighted

Re: How can I extract different arrays from a field to visualise?

New Member

Try with this:
| eval mynewfield=case(field1 =="x:[-0.01,0.04,0.9]")

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.